Friday, May 27, 2011

Have you heard of Apache Wicket? It's a web framework that tries hard to eliminate all the XML configuration you see in most modern application frameworks. The developer produces two primary flavors of artifacts-- Java classes and HTML pages, and with these two your application is built. If this sounds interesting, you probably don't need to see this new book from Packt.

You may be wondering why I wrote that you don't need to see the "Apache Wicket Cookbook" if you found the description of Wicket interesting. The reason I wrote that is because this book is going to be of very little value to someone who's just found out about Wicket. But if the reader already knows the basics-- then this book is a powerful resource.

There's very little introductory material. The book is honest about this in stating the target audience-- it says if you've already written a couple of Wicket applications, then you're a good candidate to pick this one up. I agree. If you don't know the basics of Wicket, a lot of this will be over your head.

Still reading? Then you might be familiar with writing Wicket applications already, and might wonder what you'll find in this book. I'd summarize it by saying there's plenty of material for someone charged with writing real-world applications in Wicket. A few examples: Securing your application, editing pairs of fields based on values in each, displaying data in the form of charts and tables that are sorted when you click a header. Still want more? How about integration with Spring, Seam, and JPA? The book reads like a bunch of answers to support questions, provided by someone who really knows Wicket but doesn't have time to explain all the theory behind the answers. There's just a flat out explanation of what to do, backed by code examples that quickly import into Eclipse and run flawlessly. If you want to understand *why* what you're doing works, it's going to be up to you to follow up with Wicket reference material to see why. High level overviews are not in the very direct path this book takes.

The book is written by Igor Vaynberg, who is probably the most prolific contributor to Wicket, so you know the author knows his stuff. The use cases are supposed to be issues that real-world users will need to conquer, and again Igor is a good source for these. (He is well regarded in the Wicket community. I encourage you to consult your friend Google to check this out.) Igor knows what people are wanting to do, and he knows how to do it. This book is a collection of that kind of information.

The book is written in Packt's "Cookbook" format, which is exactly what this book needed. It presents a problem, tells you the steps to find the answer, then briefly (very briefly) explains how it works. In-depth research is up to you.

Final verdict: If you're an active Wicket user, you should buy a copy of this book. It'll pay for itself the first time you need to solve one of the roughly 50 scenarios it covers. You'll have the right answer, the first time, and a running example to help you understand it. If your sense of curiosity demands that you understand all the details of how those parts work-- that's extra credit research for you, dear reader. But your site will have the functionality you seek in short order.

Sunday, May 15, 2011

The Manning 'In Action' books are usually good ones-- readable, thorough, and suitable for use as both an introduction and a reference. This book is no exception.

The topic is Camel, Apache's open source framework for implementing Enterprise Integration Patterns. If you're wondering what that means, you might consider Camel an 'ESB Lite'. It's not a true ESB, I think mostly because it doesn't have it's own hosting runtime, but beyond that it does many of the things an ESB does.

Camel can be used to route messages. So let's say you want to listen on a JMS queue and use the results to call a web service. No problem for Camel, the book tells you how. Likewise, if you want to do some message transformation-- maybe read in a file, split it into lines, enhance each line with some stuff you get from a database-- no problem. The book does a great job of demonstration through simple examples, which I found to run well and easily. Warning: if you're not a Maven user yet (I think Maven is beginning to definitively prevail in the Ant/Maven battle), you'll want to brush up a little as it's used exclusively throughout the example suite.

The book is exhaustive in it's coverage of Camel-related topics. Sometimes tech books are written in such a way that development-centric topics are given great coverage, while operational issues are not. This is not the case here-- it's obvious the authors of this book have spent some time deploying, running, and monitoring applications as well as writing them.

The source code that comes with the book is well organized, clean, and relevant for the chapter material it augments. Most important, it runs out of the box.

Camel basics (routes, Java and Spring configuration, the Enterprise Integration patterns) are all covered in more-than-adequate fashion. These are basic but necessary topics any good Camel source should provide. Where this book excels is in the ancillary material: management, monitoring, threading, transactions, testing, deployment in popular containers, etc. Very thorough, it's why this book is 550 text-packed pages long.

If I had one complaint about the book, it would be that the chapter ordering wasn't quite to my liking. The reader is given plenty of example material (including some advanced topics like transactions and concurrency) long before the basics of setting up a user-concocted "Hello World" project are presented. This is a minor nit, though, and it does not detract from the overall excellence of the book.

Bottom line: this is a must-have resource for any user of Apache Camel. It can take you from ground-level to production use, and will no doubt serve as a valuable resource for as long as you use Camel.

Thursday, May 5, 2011

Book Review for 'BackTrack 4: Assuring Security by Penetration Testing". White hats, get a copy now before the bad guys snap them all up.

I've just finished reading Packt Publishing's new book "BackTrack 4: Assuring Security by Penetration Testing". The book is meant to be a how-to guide for using BackTrack 4, a freely available Linux distribution whose sole purpose is to provide a platform for a hacker's arsenal. I'd never looked at Backtrack before, but believe me, it's a site to behold.

The distribution, once downloaded, can be installed on a machine or run as a 'live' DVD. (The book covers all this, naturally.) Once booted, the user has a *whole operating system* loaded to the gills with tools meant for breaking into computer networks and vulnerable hosts. It is frightening in it's scope.

The book is written for good guys, of course, so it includes a good amount of text that's of use to security professionals. It covers how you should make your agreements with the system owners you are assessing, the kinds of reports you should prepare, and a very useful framework for disciplined testing. The framework breaks penetration testing into discrete phases.

The first 'hacking' phase is Information Gathering. Here the user is introduced to about a dozen tools that can be used to find domain names, IP addresses, host names, and other information about the target environment.

The next phase is Target Discovery. Here the user finds hosts and identifies operating systems. Again, about a dozen different tools are presented.

The next phase is Target Enumeration. This phase allows the user to discover which ports are available, which services are offered, and what kinds of VPN are in use.

Once all this information is gathered, the user can proceed to Vulnerability Mapping. Here, another good sized set of applications are available to help the user determine what kinds of vulnerabilities exist in the target machines. This logically leads into the chapters on Target Exploitation, Privilege Escalation, and Maintaining Access.

Of course, no good book on penetration technique would be complete without a chapter on Social Engineering, and so we have one here.

So what did I think of the book? At first glance, honestly, I was unimpressed. Just picking up the book and thumbing through it revealed a great number of very brief introductions to tools. You'd see many pages where a tool is introduced, then given just a page or two of instructions on how to invoke it and what output to expect from it. It was only after I started actually reading the book that I realized the tools were neatly categorized (as explained above) and that the brevity of the introduction was soley because the authors already filled 350 pages and probably simply couldn't practically include more detail.

I've never intentionally hacked another system, but I have at times used tools like WireShark to observe network traffic as I sought to untangle some security problem or communications glitch. This book has provided me with several ideas for similarly useful tools, and introduced me to several I have no intention of ever using. (Unless I should decide to one day become a security consultant, and offer to hack into systems for profit. In that case, I'll make myself familiar with all the tools in the BackTrack toolkit.)

If your livelihood depends on a secure site, you probably ought to get a copy of this book for your in-house penetration tester. It's an eye-opener.